All About Cookies and Security

This is an article on All About Cookies and Security in Ethical hacking Tips.

Introduction

I've seen so many hacking tutorials about XSS, SQL injection, and many topics along those lines, but I've seen very little dealing with cookies as potential attack vectors or security risks. h4x0r and I were talking a little while back, and it was decided that I would write a tutorial to fill that void. So here it is, all about cookies. What they are, how they're used, the security risks they can present, and how they can be exploited.

Note: Keep in mind that this tutorial was written with the same disclaimer as most others... it's for educational purposes only, use this information to secure your website, not break the law, etc.

OK, so now that we got that out of the way, let's get started!

What are cookies and how are they used by websites and web admins?

Cookies identify you to the site. They store settings about your customized look and feel for the pages you view, your username and encrypted password or user id, who referred you to the site, profile preferences, and just about any kind of information the admins want them to store to customize your user experience. Cookies are most commonly used to give you access to login protected pages once you've entered your information, identify you in content that you change on the site (forum posts or article comments, for example), tell the administrators how you found the site, and more. Again, cookies will function as their creators have written them to function. This sounds like a simple, obvious statement, but it can't be overlooked. We'll see why later.

So what are the effects if cookies are manipulated?

Insecure cookies can be changed to allow you access to protected pages (ex admin), change your user id to impersonate other users, etc. Up until now, this tutorial has been all theoretical information, so how about a little real-life application now?

I remember testing a website whose admin knew very little about security. The website worked like this: the user would log in and the site would check the username and password combination. If they were correct, then the site would give the user a cookie containing their user id (ex: 1428) to identify them to the site for the remainder of their session, their username to be displayed on the content they changed (ex: fourthdimension), and some other miscellaneous info like local time, referrer, etc. Like I mentioned earlier, sites will only use cookies as well as their administrator created them to. Are you beginning to see what could happen if administrators use cookies insecurely like this one did? If not, you will in a few minutes. The minute I saw my cookie and understood how the site used it, I knew the site was mine. The first thing I did was fool around with changing the value of my username. Sure enough, when I posted comments on the site, the comment author fields displayed whatever I had just changed my cookie's username value to. Well, that was fun, but not very useful unless I wanted to use it for phishing or social engineering, none of which were objectives in this test, so I decided to take note of it in my report and move on. What about the user id field? Like I said, the site would check for a valid username/pass combo ONCE, when the user logged in. After that, it relied on the cookie to tell it who the user was. That made the user id field a pretty promising field to change if I want to escalate my privileges on the site or control other users' accounts. Sure enough, as I changed the user id, I would change who I was logged in as. (Note that the display name didn't change because that was stored seperately as I mentioned earlier, but all the user info and preferences, etc changed, so I was sure that it worked.) Working on the assumption that the user id wasn't a randomly generated number but actually the member number assigned by the order of registration, I decided to try for the admin's account, which would have the user id of 1 or 0001 or something along those lines. After a few minutes of tweaking that logic, I was logged in as the site administrator. After finding a few more errors (xss, php validation, etc) I sent him the report. So now do you see how powerful changing your cookie can be if site administrators don't user secure cookies or use their cookies securely? I didn't even need to know the admin's username or password, and since there were no visible attacks on the site, there was nothing to raise anyone's suspiscion. Cookies can be usefull tools when used correctly by web admins, but powerfull attack vectors to be exploited when used incorrectly.

So now that you understand the theory and applications of cookies, you're probably wondering how you can edit them on your own. There are many ways to change cookies, such as javascript injections, dozens of firefox addons, etc. My favorite way is by using a firefox addon called Firecookie, which is actually an extension to another firefox addon, firebug. You can download them from mozilla's official addon site (firebug must be installed first):

If you don't have firefox, get firefox. Now that you have them installed, I'll give you a quick guide to editing cookies with them. There's a lot more you can do with firebug, so I'd encourage you to look at some tutorials for its other features as well, like editing pages' source code on the fly with its Inspect feature. That aside, back to editing cookies. Click the firebug icon on the bottom right of your firefox window. Now click on the Cookies tab at the top of the window that pulls up. Fill in the checkbox for Cookies and click apply. Click OK on any windows that pop up about resending data. Now you should see a listing of the cookie field and values, among other things. Right click on the field you want to change and click edit. Change the value field to whatever you want. You may need to change the session only check box or the expiration date to get the cookie to stay once the page has refreshed, depending on the page. Once you've changed the value, refresh the page. If you still see your cookie in the firecookie window, then your cookie is in effect. If not, you may need to play with some of the settings as I mentioned earlier.

And that's the basics of cookie hacking! Now you know all you need to understand cookie stealing and more.